rewrite

Signed-off-by: He Jie Xu <[email protected]>

source/common/tls/cert_validator/ipp_crypto.h

@@ -14,13 +14,12 @@ class IppCrypto {
   virtual ~IppCrypto() = default;
 
   virtual int mbxIsCryptoMbApplicable(uint64_t features) PURE;
-  virtual uint32_t mbx_nistp256_ecdsa_verify_mb8(const uint8_t* const pa_sign_r[8],
-                                                  const uint8_t* const pa_sign_s[8],
-                                                  const uint8_t* const pa_msg[8],
-                                                 const uint64_t* const pa_pubx[8],
-                                                 const uint64_t* const pa_puby[8],
-                                                 const uint64_t* const pa_pubz[8],
-                                                        uint8_t* pBuffer) PURE;
+  virtual uint32_t mbx_nistp256_ecdsa_verify_ssl_mb8(const ECDSA_SIG* const pa_sig[8],
+                                             const uint8_t*  const pa_msg[8],
+                                             const BIGNUM* const pa_pubx[8],
+                                             const BIGNUM* const pa_puby[8],
+                                             const BIGNUM* const pa_pubz[8],                                       
+                                                   uint8_t* pBuffer) PURE;
 };
 
 using IppCryptoSharedPtr = std::shared_ptr<IppCrypto>;

source/common/tls/cert_validator/ipp_crypto_impl.h

@@ -15,17 +15,13 @@ class IppCryptoImpl : public virtual IppCrypto {
   int mbxIsCryptoMbApplicable(uint64_t features) override {
     return ::mbx_is_crypto_mb_applicable(features);
   }
-  uint32_t mbx_nistp256_ecdsa_verify_mb8(const uint8_t* const pa_sign_r[8],
-                                                  const uint8_t* const pa_sign_s[8],
-                                                  const uint8_t* const pa_msg[8],
-                                                 const uint64_t* const pa_pubx[8],
-                                                 const uint64_t* const pa_puby[8],
-                                                 const uint64_t* const pa_pubz[8],
-                                                        uint8_t* pBuffer) override {
-    return ::mbx_nistp256_ecdsa_verify_mb8(pa_sign_r, pa_sign_s, pa_msg,
-                                           reinterpret_cast<const unsigned long long *const *>(&pa_pubx[0]),
-                                           reinterpret_cast<const unsigned long long *const *>(&pa_puby[0]),
-                                           reinterpret_cast<const unsigned long long *const *>(&pa_pubz[0]), pBuffer);
+  uint32_t mbx_nistp256_ecdsa_verify_ssl_mb8(const ECDSA_SIG* const pa_sig[8],
+                                             const uint8_t*  const pa_msg[8],
+                                             const BIGNUM* const pa_pubx[8],
+                                             const BIGNUM* const pa_puby[8],
+                                             const BIGNUM* const pa_pubz[8],                                       
+                                                   uint8_t* pBuffer) override {
+    return ::mbx_nistp256_ecdsa_verify_ssl_mb8(pa_sig, pa_msg, pa_pubx, pa_puby, pa_pubz, pBuffer);
   }
 };
 

source/common/tls/cert_validator/verifier.cc

@@ -11,47 +11,87 @@ namespace Tls {
 
 int custom_verify(EVP_PKEY_CTX *ctx, 
                   const uint8_t *sig, size_t siglen,
-                  const uint8_t *, //tbs,
+                  const uint8_t * tbs,
                   size_t //tbslen
                   ) {
     ENVOY_LOG_MISC(debug, "custom verify!!!!!!!!!!!!!!!!!!\n");
 
-    uint8_t pa_sign_r[8][32];
-    uint8_t pa_sign_s[8][32];
-    EVP_PKEY_fetch_parameters(ctx, sig, siglen, &pa_sign_r[0][0], &pa_sign_s[0][0]);
+    // uint8_t pa_sign_r[8][32];
+    // uint8_t pa_sign_s[8][32];
+    // EVP_PKEY_fetch_parameters(ctx, sig, siglen, &pa_sign_r[0][0], &pa_sign_s[0][0]);
 
-    uint8_t pa_pubx[8][32];
-    uint8_t pa_puby[8][32];
-    uint8_t pa_pubz[8][32];
-    EVP_PKEY_fetch_points(ctx, &pa_pubx[0][0], &pa_puby[0][0], &pa_pubz[0][0]);
+    // uint8_t pa_pubx[8][32];
+    // uint8_t pa_puby[8][32];
+    // uint8_t pa_pubz[8][32];
+    // EVP_PKEY_fetch_points(ctx, &pa_pubx[0][0], &pa_puby[0][0], &pa_pubz[0][0]);
 
-    uint8_t *sign_r[8];
-    for (int i = 0; i < 8; i++) {
-      sign_r[i] = &pa_sign_r[i][0];
-    }
-    uint8_t *sign_s[8];
-    for (int i = 0; i < 8; i++) {
-      sign_s[i] = &pa_sign_s[i][0];
-    }
+    // uint8_t *sign_r[8];
+    // for (int i = 0; i < 8; i++) {
+    //   sign_r[i] = &pa_sign_r[i][0];
+    // }
+    // uint8_t *sign_s[8];
+    // for (int i = 0; i < 8; i++) {
+    //   sign_s[i] = &pa_sign_s[i][0];
+    // }
+
+    // const uint64_t* pubx[8];
+    // for (int i = 0; i < 8; i++) {
+    //   pubx[i] = reinterpret_cast<uint64_t*>(&pa_pubx[i][0]);
+    // }
+    // const uint64_t* puby[8];
+    // for (int i = 0; i < 8; i++) {
+    //   puby[i] = reinterpret_cast<uint64_t*>(&pa_puby[i][0]);
+    // }
+    // const uint64_t* pubz[8];
+    // for (int i = 0; i < 8; i++) {
+    //   pubz[i] = reinterpret_cast<uint64_t*>(&pa_pubz[i][0]);
+    // }
+
 
-    const uint64_t* pubx[8];
+    ECDSA_SIG *ec_sigs[8] = {nullptr};
     for (int i = 0; i < 8; i++) {
-      pubx[i] = reinterpret_cast<uint64_t*>(&pa_pubx[i][0]);
+      ec_sigs[i] = ECDSA_SIG_from_bytes(sig, siglen);
+      if (ec_sigs[i] == nullptr) {
+          ENVOY_LOG_MISC(debug, "parse the signature failed");
+      }
     }
-    const uint64_t* puby[8];
+    const uint8_t* msg[8];
     for (int i = 0; i < 8; i++) {
-      puby[i] = reinterpret_cast<uint64_t*>(&pa_puby[i][0]);
+      msg[i] = tbs;
     }
-    const uint64_t* pubz[8];
-    for (int i = 0; i < 8; i++) {
-      pubz[i] = reinterpret_cast<uint64_t*>(&pa_pubz[i][0]);
+
+    const EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(EVP_PKEY_CTX_get0_pkey(ctx));
+    const EC_GROUP *group = EC_KEY_get0_group(ec_key);
+    const EC_POINT *pub_key = EC_KEY_get0_public_key(ec_key);
+    if (ec_key == nullptr || group == nullptr) {
+      ENVOY_LOG_MISC(debug, "parse the pub key failed");
+      return 0;
     }
-    const uint8_t* msg[8];
+
+    BIGNUM x;
+    BIGNUM y;
+    EC_POINT_get_affine_coordinates_GFp(group, pub_key, &x, &y, nullptr);
+
+    BIGNUM* pubx[8] = {nullptr};
+    BIGNUM* puby[8] = {nullptr};
     for (int i = 0; i < 8; i++) {
-      msg[i] = sig;
+      pubx[i] = &x;
+      puby[i] = &y;
     }
+    // OPENSSL_EXPORT int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group,
+    //                                                    const EC_POINT *point,
+    //                                                    BIGNUM *x, BIGNUM *y,
+    //                                                    BN_CTX *ctx);
     IppCryptoImpl crypto;
-    return crypto.mbx_nistp256_ecdsa_verify_mb8(sign_r, sign_s, msg, pubx, puby, pubz, nullptr) == 0;
+    return crypto.mbx_nistp256_ecdsa_verify_ssl_mb8(ec_sigs, msg, pubx, puby, nullptr, nullptr);
+    // uint32_t mbx_nistp256_ecdsa_verify_ssl_mb8(const ECDSA_SIG* const pa_sig[8],
+    //                                          const uint8_t*  const pa_msg[8],
+    //                                          const BIGNUM* const pa_pubx[8],
+    //                                          const BIGNUM* const pa_puby[8],
+    //                                          const BIGNUM* const pa_pubz[8],                                       
+    //                                                uint8_t* pBuffer)
+
+    // return crypto.mbx_nistp256_ecdsa_verify_mb8(sign_r, sign_s, msg, pubx, puby, pubz, nullptr) == 0;
     // mbx_status mbx_nistp256_ecdsa_verify_mb8(const int8u* const pa_sign_r[8],
     //                                               const int8u* const pa_sign_s[8],
     //                                               const int8u* const pa_msg[8],